Make WordPress Core

Opened 8 weeks ago

Last modified 8 weeks ago

#62604 new enhancement

Prevent false-positive in validate_callback() in REST API

Reported by: takahashi_fumiki's profile Takahashi_Fumiki Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: trunk
Component: REST API Keywords: has-patch
Focuses: Cc:

Description (last modified by dd32)

Related: https://github.com/WP-API/docs/issues/194

'type' => 'string',
'validate_callback' => function( $should_be_date ) {
     return preg_match( '/^\d{4}-\d{2}-\d{2}$/u', $should_be_date );
}

Above validation expects the parameter should be 'YYYY-MM-DD' format, but actually any string as "valid" because preg_match() returns 0(falsy value) for mismatch.

So, validation priority should be is_wp_error() -> "is true?" -> "else, invalid."

Concerns:

strpos() return 0 for match.

Change History (2)

This ticket was mentioned in PR #7914 on WordPress/wordpress-develop by @Takahashi_Fumiki.


8 weeks ago
#1

  • Keywords has-patch added

Related: https://github.com/WP-API/docs/issues/194

'type' => 'string',
'validate_callback' => function( $should_be_date ) {
     return preg_match( '/^\d{4}-\d{2}-\d{2}$/u', $should_be_date );
}

Above validation expects the parameter should be 'YYYY-MM-DD' format, but actually any string as "valid" because preg_match() returns 0(falsy value) for mismatch.

So, validation priority should be is_wp_error() -> "is true?" -> "else, invalid."

Concerns:

strpos() return 0 for match. This result as false-negative in terms of backward-compatibility.

https://core.trac.wordpress.org/ticket/62604#ticket

Trac ticket:

#2 @dd32
8 weeks ago

  • Description modified (diff)
Note: See TracTickets for help on using tickets.